b'January 7, 2010\n\nPAULA S. GARNER\nSUPPLIES PORTFOLIO MANAGER\n\nSUBJECT: Audit Report \xe2\x80\x93 Supplier Risk Mitigation in the Supplies Portfolio\n         (Report Number CA-AR-10-003)\n\nThis report presents the results of our audit of Supplier Risk Mitigation in the Supplies\nPortfolio1 (Project Number 09YG014CA000). This was a self-initiated audit to assess\nU.S. Postal Service Supplies Portfolio actions to identify and mitigate risk for\ncommodities with a limited supplier base. The audit addresses Postal Service\noperational risk. See Appendix A for additional information about this audit.\n\nConclusion\n\nFor the two Category Management Centers (CMC) identified as having a limited\nsupplier base risk, we determined that CMC personnel can be more proactive in\nidentifying and mitigating potential risks. Specifically, the audit found that Commodity\nStrategy Sourcing Plans (CSSP) were not supported with documentation or detailed\nanalysis, CMC personnel did not identify limited supplier base as a risk for Information\nTechnology (IT mainframes, and CMC personnel did not conduct analyses of suppliers\xe2\x80\x99\nfinancial health.\n\nSourcing Plans Were Not Supported With Detailed Written Analysis\n\nSupply Management officials could not provide supporting documentation or detailed\nwritten analysis to support CSSPs beyond the minimal detail provided in CSSP\nsnapshots and related briefing documents. Management did not maintain\ndocumentation and analysis due to time constraints and the general belief that\ndocumentation was not necessary. Postal Service guidelines state that the snapshot\nreport should be a synopsis of the CSSP and summarize the results of the individual\nparts of the CSSP.2 The CSSP template requires a description of the commodity and\nits history; identification of the suppliers\xe2\x80\x99 capabilities; and identification of market factors\nincluding existing market conditions, competition, and alternatives. Because no\nsupporting documentation or detailed analysis is maintained to support the CSSP and\n\n1\n  The Supplies Portfolio includes the Information Technology (IT), Vehicles, and Delivery, Industrial Equipment, and\nTelecommunications Category Management Centers (CMC).\n2\n  Supplying Principles and Practices issued May 1, 2006, and updated through July 28, 2009.\n\x0cSupplier Risk Mitigation in the Supplies Portfolio                                              CA-AR-10-003\n\n\n\nthe snapshots, the Postal Service has no assurance that the CSSP and the snapshots\nare based on adequate commodity analysis, or that all potential commodity and supplier\nrisks were analyzed and mitigated. See Appendix B for our detailed analysis of this\ntopic.\n\nWe recommend the Supplies Portfolio manager require all Supplies Category\nManagement Center managers to:\n\n1. Ensure that each category management center prepares and maintains full\n   Commodity Strategy Sourcing Plans, supported by written analysis of risk\n   identification and mitigation efforts.\n\nLimited Supplier Base Risk Not Identified and Mitigated\n\nThe CSSP snapshot information provided does not identify a limited supplier base as a\nrisk for the Postal Service\xe2\x80\x99s sole supplier of mainframes. A limited supplier base is not\nidentified as a risk because the IT CMC manager believes the supplier is financially\nsound and the agency could rapidly fill their position in the market should they leave. In\naddition, discussions with CMC personnel indicate that a potential risk mitigation\nstrategy might involve increasing the use of open source code on mid-range computers,\nbut that strategy has not been fully developed and documented. Postal Service\nguidelines state that an effective commodity strategy provides for the elimination of\nunidentified risks and proactive risk management.3 Risks that may not be easily\neliminated or mitigated should be recognized and addressed when a key commodity\nhas a limited supplier base. Although alternative solutions may be available, potential\nsupply disruptions from unidentified risks could negatively impact Postal Service\noperations.\n\nThe Postal Service has recently had to respond to supply chain disruption in one of its\nlimited supply base commodities. The supplier of the Postal Service\xe2\x80\x99s long-life vehicle\nframes suddenly decided to exit the market. This required the Postal Service to\npurchase the supplier\xe2\x80\x99s existing inventory and find other sourcing options. While the\nPostal Service projects to have enough inventory to carry it through solicitation and\nimplementation of a new contract, the need to purchase the existing inventory and\nrapidly develop and compete a solicitation was not without significant impact.\n\nThe Postal Service should not limit risk mitigation strategies to identifying potential\nadditional suppliers, but could include inventory management to minimize the impact of\nunforeseen supply disruption. See Appendix B for our detailed analysis of this topic.\n\n\n\n\n3\n    Supplying Principles and Practices issued May 1, 2006, and updated through July 28, 2009.\n\n\n\n\n                                                          2\n\x0cSupplier Risk Mitigation in the Supplies Portfolio                                                  CA-AR-10-003\n\n\n\nWe recommend the Supplies Portfolio manager instruct the Information Technology\nCategory Management Center manager to:\n\n2. Reassess the risks associated with having a limited supplier base for Information\n   Technology mainframes and establish and document risk mitigation strategies to\n   address those risks.\n\nKey Suppliers\xe2\x80\x99 Financial Health Risk Not Analyzed\n\nSupply Management officials did not obtain and analyze suppliers\xe2\x80\x99 financial statements,\nor document other analyses of supplier financial health. The CMC managers stated that\nsuppliers were financially sound and they did not believe ongoing financial statement\nanalysis was warranted. As a result, the Postal Service supply chain could be\nvulnerable to an unexpected exit or sudden change in the business of their suppliers\ndue to a change in suppliers\xe2\x80\x99 financial status. Postal Service guidelines states that\nmanagement should conduct analyses of supplier capability before awarding a contract\nto determine the supplier\xe2\x80\x99s performance ability throughout the life of the contract. In\naddition, a financial capability analysis aids in determining a supplier\xe2\x80\x99s ability to remain\nfinancially solvent and protects the Postal Service from poor contract performance and\nrisks.4 This type of analysis is important for commodities with a limited supplier base,\nparticularly in the current economic environment. See Appendix B for our detailed\nanalysis of this topic.\n\nWe recommend the Supplies Portfolio manager require all Supplies Category\nManagement Center managers to:\n\n3. Establish and implement a methodology to routinely analyze, document, and monitor\n   the financial health of key suppliers.\n\nBest Practices in Private Industry Study Results\n\nAs a part of our audit, we evaluated best practices on managing risk in supply\nmanagement. We focused on those practices by best in class organizations. We found\nthat best in class organizations approach supply chain risk management from the\nperspective of engaging in a disciplined set of steps to manage risk as a whole is the\nkey to being successful at it. These steps include:\n\n      \xef\x82\xb7    Determining critical suppliers using segmentation.\n      \xef\x82\xb7    Analyzing the suppliers\xe2\x80\x99 marketplace and assessing individual suppliers.\n      \xef\x82\xb7    Defining risk performance metrics and reporting.\n      \xef\x82\xb7    Deploying risk mitigation strategies.\n\n\n\n4\n    Supplying Principles and Practices (SP&Ps) issued May 1, 2006, and updated through July 28, 2009.\n\n\n\n\n                                                          3\n\x0cSupplier Risk Mitigation in the Supplies Portfolio                              CA-AR-10-003\n\n\n\nIn general, we found that Supply Management policies and guidelines embrace these\nconcepts.\n\xc2\xa0\nManagement\xe2\x80\x99s Comments\n\nManagement generally agreed with the intent of the findings and recommendations.\nAlthough management indicated there was a fundamental difference of opinion as to the\namount of documentation needed for the CSSPs, they plan to enhance the use of the\nCSSP through an ongoing strategic initiative that includes the development of a risk\nmitigation worksheet. This strategic enhancement has a target implementation date of\nMay 2010. Management also stated they are in the process of further analyzing their IT\nmainframe limited supplier base risk and mitigation strategies and will provide\ndocumentation regarding those strategies by March 2010. To ensure that contracting\nofficers are aware of the need to monitor supplier financial health, management intends\nto forward our final report to contracting officers \xe2\x80\x94 emphasizing this need \xe2\x80\x94 by\nFebruary 2010. See Appendix C for management\xe2\x80\x99s comments in their entirety.\n\nEvaluation of Management\xe2\x80\x99s Comments\n\nThe U.S. Postal Service Office of Inspector General (OIG) considers management\xe2\x80\x99s\ncomments responsive to the recommendations and management\xe2\x80\x99s corrective actions\nshould resolve the issues identified in the report. We continue to find documentation of\nrisk identification and mitigation strategies to be critical for commodities with a limited\nsupplier base, and encourage current strategic streamlining efforts to look towards\nmaking such documentation more efficient, rather than discontinuing documentation of\nkey risk identification and mitigation strategies.\n\nWe appreciate the cooperation and courtesies provided by your staff. If you have any\nquestions or need additional information, please contact Judy Leonhardt, director,\nSupply Management, or me at (703) 248-2100.\n\n         E-Signed by Mark Duda\n    VERIFY authenticity with ApproveIt\n\n\n\n\nMark W. Duda\nDeputy Assistant Inspector General\n for Support Operations\n\nAttachments\n\ncc: Joseph Corbett\n    Susan Brownell\n    Susan Witt\n    Sally K. Haring\n\n\n\n                                                     4\n\x0cSupplier Risk Mitigation in the Supplies Portfolio                                                    CA-AR-10-003\n\n\n\n                           APPENDIX A: ADDITIONAL INFORMATION\n\nBACKGROUND\n\nSupply Management works proactively with internal and external Postal Service\nbusiness partners to deliver best value solutions that are timely, cost effective, and\noperationally efficient to integrate supply chains. These efforts include combining\nstrategic and tactical buying, supplying processes, and managing customer and supplier\nrelations so they further the business and competitive needs of the Postal Service.\nWithin Supply Management, the Supplies Portfolio meets Postal Service needs for IT,\nvehicles, delivery and industrial equipment, and telecommunications through CMCs.\n\nThe CMCs develop the CSSP. The purpose of developing CSSP is to ensure the\nSupply Management organizations responsible for purchasing commodities use a\nsystematic process for developing strategies to achieve supply chain management\ngoals that fully support corporate, Supply Management, and cross-functional business\nobjectives. It is a set of analyses that, together, support and determine the commodity\nstrategy, providing a basis of support for Postal Service purchasing of specific products\nor services. The intended content of the CSSP includes stakeholder analysis, pricing\nanalysis; market research; the Strengths, Weaknesses, Opportunities, and Threats\n(SWOT) analysis; and commodity strategy development. The CSSP also includes the\nCommodity Sourcing Quadrant Analysis.5\n\nEach year selected CMCs present the CSSP snapshot to the Postal Service Supply\nManagement Leadership Team6 to obtain concurrence with the commodity strategy.\nThe snapshot is a high-level synopsis of the CSSP and summarizes the results of its\nindividual parts.7\n\n\n\n\n5\n  A tool developed by the Postal Service Supply Chain Management Strategies. It provides a list of questions that\nserve as the criteria for evaluating each commodity. Based on user input, the tool performs a weighted calculation to\ndetermine the overall relative value and risk of each commodity and graphs the results on a gradated chart.\n6\n  The Supply Management Leadership Team includes the vice president of Supply Management, Portfolio managers,\nand managers from supply management-enabling organizations.\n7\n  Supplying Principles and Practices issued May 1, 2006, and updated through July 28, 2009.\n\n\n\n\n                                                          5\n\x0cSupplier Risk Mitigation in the Supplies Portfolio                           CA-AR-10-003\n\n\n\nOBJECTIVES, SCOPE, AND METHODOLOGY\n\nOur objectives were to assess Postal Service Supplies Portfolio actions to identify and\nmitigate risk for commodities with a limited supplier base and analyze best practices\nand benchmark supplier risk mitigation approaches for potential use by the Postal\nService. To accomplish our objectives, we interviewed the Supplies Portfolio manager\nand the IT and Vehicles CMC managers and staff to discuss current risk mitigation\nstrategies for commodities with limited supplier base risk.8 We reviewed CSSP\nsnapshots to identify commodities with a limited supplier base, individual purchase\nplans, decision analysis reports, contracts and contract modifications, and national\nordering agreements and modifications. We interviewed contracting officers and market\nanalysts regarding market research, limited supplier base determination, commodity\nprice and cost analyses, and determinations of supplier financial stability. Furthermore,\nwe reviewed the SP&P sections relevant to our audit objectives and contracted for a\nbenchmarking and best practices analysis regarding supplier risk mitigation.\n\nWe conducted this performance audit from February 2009 through January 2010 in\naccordance with generally accepted government auditing standards and included such\ntests of internal controls as we considered necessary under the circumstances. Those\nstandards require that we plan and perform the audit to obtain sufficient, appropriate\nevidence to provide a reasonable basis for our findings and conclusions based on our\naudit objectives. We believe that the evidence obtained provides a reasonable basis for\nour findings and conclusions based on our audit objectives. We discussed our\nobservations and conclusions with management officials on October 21, 2009, and\nincluded their comments where appropriate.\n\nPRIOR AUDIT COVERAGE\n\nWe identified one OIG report issued within the past 5 years related to this subject. The\naudit, Commodity Sourcing Activities within the Automation Category Management\nCenter (Report Number CA-MA-07-005, dated August 2, 2007) concluded that the\nPostal Service addressed the small supplier base through the CSSP, acquisition\nstrategy and strategic partnerships with key suppliers, semiannual meetings, and\ncontract protection clauses. The report did not identify any monetary impacts. The OIG\nrecommended other sourcing efforts such as leader company contracting to increase\nthe supplier base and implementation of protection clauses for Postal Service\ntechnology rights should the Postal Service debar or suspend a supplier. Management\nagreed with the findings and recommendations.\n\n\n\n\n8\n    Relying on only one or two suppliers for the commodity.\n\n\n\n\n                                                              6\n\x0cSupplier Risk Mitigation in the Supplies Portfolio                              CA-AR-10-003\n\n\n\n                               APPENDIX B: DETAILED ANALYSIS\n\nSourcing Plans Were Not Supported With Detailed Written Analysis\n\nWe found that managers could not provide full CSSPs and did not maintain supporting\ndocumentation or detailed written analysis to support the CSSP snapshots in the\nSupplies Portfolio for commodities CMCs identified as having a limited supplier base.\nThe IT CMC manager could not provide a reason why there was no full CSSP\ndocumentation and provided briefing documents that offered key information, but not full\nanalysis. The Vehicles CMC manager confirmed there was no additional information\nand noted that he and his staff had detailed working knowledge of their commodity\nstrategy, diminishing the need to document the analysis supporting the snapshot, a one-\npage document. In addition, the Vehicles CMC analyst staff stated they did not have\ntime to complete a detailed written analysis due to time spent on the Green Initiative\nand other priorities.\n\nThe CSSP template requires descriptions of the commodity and its history, identification\nof suppliers\xe2\x80\x99 capabilities, and identification of the market factors including existing\nmarket conditions, competition, and alternatives. In addition, management should\nidentify industry and market trends that are driving the market and document all relevant\ninformation resulting from the benchmarking study. Furthermore, the plan should\ninclude details on supplier involvement in the product design and supplier development\nplan, if applicable. Without maintaining a full CSSP or supporting documentation or\ndetailed information behind the CSSP snapshots, the Postal Service has no assurance\nthat it is based on adequate commodity analysis, or that all potential commodity and\nsupplier risks were analyzed and mitigated.\n\nSupply Management recognizes the need for a robust and well-supported commodity\nstrategic sourcing approach in the SP&P and in their guidance for commodity strategic\nsourcing plans. Efforts are underway in Supply Chain Management Strategies to\nstrengthen commodity strategic sourcing activities. Those efforts include developing a\nrisk analysis model to incorporate into the CSSP or implement as a separate document.\nCompeting priorities have delayed the development of this risk model and a draft had\nnot yet been provided at the time of our audit.\n\nWe interviewed CMC staff and reviewed the contract files for the supplier for the\nmainframe computers in the IT CMC and the supplier for vehicle parts in the Vehicles\nCMCs to determine how limited supplier base risk is identified and mitigated. While\nCMC officials were knowledgeable of the information regarding their respective\ncommodities and the snapshot, this knowledge of commodity risk was not documented\nin the CSSPs. Supply Management officials explained that there was no additional\ninformation except for the CSSP snapshot, but risk identification and mitigation would\nbe found in each contract file. Within the contract files, the individual purchase plans for\nboth suppliers reviewed identified the technical, cost, and schedule risks, but did not\n\n\n\n\n                                                     7\n\x0cSupplier Risk Mitigation in the Supplies Portfolio                                                   CA-AR-10-003\n\n\n\naddress the limited supplier base risk. However, we found no further documentation of\nrisk identification and mitigation in the contract file.\n\nLimited Supplier Base Risk Not Identified and Mitigated\n\nThe CSSP snapshots provided for IT hardware do not reflect the limited supplier base\nrisk for the Postal Service\xe2\x80\x99s sole supplier of mainframes. The IT CMC manager stated\nthat while the supplier is the only manufacturer of mainframes, he believed they would\nnot likely go out of business based on their financial strength. He further stated that, if\nthey did have financial trouble, a buyer would likely purchase the company and the\nPostal Service would continue business with the new company. In addition,\nconversations with the IT CMC manager and his staff indicated that the risk might be\nmitigated through the use of open source code on mid-range computers; however, that\nmitigation plan was not fully developed and documented.\n\nThe SP&P general practices state that an effective commodity strategy, based on the\nCSSP and synopsized in the CSSP snapshot report, provides for the elimination of\nunidentified risks and proactive risk management. Although alternative solutions may\nbe available, potential supply disruptions from unidentified risks could negatively affect\nPostal Service operations as officials act reactively rather than proactively to supply\ndisruptions. In addition, management should recognize and address any risk that may\nnot be easily eliminated or mitigated when a key commodity has a limited supplier base.\n\nWe reviewed the CSSP snapshots for IT hardware and noted that the threats identified\nin the SWOT analysis did not identify limited supplier base risk. Although mainframes\nwere rated as high risk for commodity sourcing, officials stated that a limited supplier\nbase risk was not listed because they do not perceive that as a risk for mainframes.\nAlthough they did not identify the risk, officials stated they have strategies in place such\nas the IT department\xe2\x80\x99s disaster recovery continuity plan, use of marketing contractor\n(The Gartner Group9), and moving to an open source environment with Linux.10\nHowever, with 88 critical applications residing on mainframes, including payroll and the\nproduct tracking system, the CMC should identify limited supplier base risk and\ndetermine what mitigation practices, if any, should be included in the CSSP. Risk\nmitigation strategies for limited supplier base need not be limited to finding new\nsuppliers. Documenting a supply chain disruption plan can include documenting the\ncurrent inventory management strategy and the potential platform migration strategy.\n\n\n\n\n9\n  The Postal Service uses the research report, which provides information on a company\xe2\x80\x99s strategies and\norganization; and the vendor report that provides a Gartner rating based on research, information on the company\xe2\x80\x99s\nmarketing, market offerings, and financial information.\n10\n   Linux is an operating system that facilitates the transfer of applications between servers or mainframes more\neasily.\n\n\n\n\n                                                         8\n\x0cSupplier Risk Mitigation in the Supplies Portfolio                             CA-AR-10-003\n\n\n\nKey Suppliers\xe2\x80\x99 Financial Health Risk Not Analyzed\n\nSupply Management officials did not obtain or analyze suppliers\xe2\x80\x99 financial statements.\nCMC managers stated that suppliers were financially sound and they did not believe\nongoing financial statement analysis was warranted. The SP&P states that analysis of\nsupplier capability is conducted before contract award to determine the supplier\xe2\x80\x99s\nperformance ability throughout the life of the contract. A financial capability analysis\naids in determining the supplier\xe2\x80\x99s ability to remain financially solvent and protects the\nPostal Service from poor contract performance and risks. As a result, the Postal\nService supply chain could be vulnerable to an unexpected exit or sudden change in the\nbusiness of their suppliers due to a change in the supplier\xe2\x80\x99s financial status.\n\nThe contract files relevant to both the vehicles and IT commodities did not contain a\nfinancial analysis for the suppliers reviewed. The IT CMC did obtain a marketing report\nfrom the Gartner Group, which noted the company\xe2\x80\x99s revenue and net income trends,\nbut did not contain a financial analysis. In addition, the Vehicles CMC manager stated\nthe CMC obtained and analyzed Equifax reports, which identify a company\xe2\x80\x99s credit\nstatus. Any financial concerns were reviewed with the company during quarterly\nmeetings. Although the vehicle parts supplier\xe2\x80\x99s National Ordering Agreement file\ncontained an Equifax report dated June 15, 2009, there was no record of previous\nEquifax reports or records of previous discussions held with the suppliers. In addition,\nthe Equifax report for the supplier in question showed a high-risk credit score.\n\nBest Practices in Private Industry Study Results\n\nWe contracted with a firm to provide a report on managing risk in supply management\nby best-in-class organizations. To accomplish this task, the firm performed interviews at\n10 private sector companies, literature research, and benchmarking, and interviewed\ncompany experts in the field of supply chain management. Their research suggested\nthe following best practices:\n\n    \xef\x82\xb7   Develop a holistic approach to supply chain risk management to better\n        understand the vulnerabilities within the supply chain.\n\n    \xef\x82\xb7   Align procurement staff strategically so that more procurement and sourcing staff\n        are dedicated to value-added activities (e.g., spend analysis, supplier evaluation,\n        ongoing supplier performance management) and fewer to transactional functions\n        (e.g., requisitioning and order processing).\n\n    \xef\x82\xb7   Develop processes that drive risk, allowing the supply manager to be more\n        proactive rather than simply reacting to specific events.\n\n    \xef\x82\xb7   Foster trust and collaboration with suppliers.\n\n\n\n\n                                                     9\n\x0cSupplier Risk Mitigation in the Supplies Portfolio                                CA-AR-10-003\n\n\n\n    \xef\x82\xb7   Employ a multifunctional supply risk management team to lead efforts in\n        identifying major risks, creating risk mitigation strategies, and developing tactical\n        action plans when disruptions actually occur.\n\n    \xef\x82\xb7   Foster communication of risk management efforts so employees understand key\n        principles and goals of risk management.\n\n    \xef\x82\xb7   Foster collaboration with key supply chain partners by proactively sharing\n        information.\n\n    \xef\x82\xb7   Conduct market segmentation to identify suppliers most critical to strategy,\n        operations, and reputation.\n\n    \xef\x82\xb7   Align the investment in risk management in those suppliers and supply markets\n        that pose a risk to the strategic mission of the enterprise.\n\n    \xef\x82\xb7   Understand the supplier marketplace as well as the individual supplier.\n\n    \xef\x82\xb7   Combine financial data with qualitative information in order to obtain an accurate\n        risk profile.\n\n    \xef\x82\xb7   Conduct a market analysis of each key supply market and, where appropriate,\n        financial analysis of suppliers.\n\n    \xef\x82\xb7   Develop a robust and risk-based supplier framework that leverages self-\n        reporting, financial and operational data collection, industry information, and on-\n        site supplier reviews.\n\n    \xef\x82\xb7   Design supplier relationship management programs and reporting systems in a\n        manner that encourages collaboration with suppliers both to manage risks and to\n        encourage innovation and teamwork.\n\n    \xef\x82\xb7   Define metrics for monitoring risk that go beyond the traditional metrics for\n        measuring contract compliance. These include metrics on quality, financial\n        condition of supplier, technology leadership, price competitiveness, and location\n        risk exposure.\n\n    \xef\x82\xb7   Conduct enhanced monitoring for those suppliers identified as being outside the\n        risk limits.\n\n    \xef\x82\xb7   Foster supplier development and support programs for critical suppliers.\n\n    \xef\x82\xb7   Analyze supplier health over a period of time and compare it to industry\n        averages.\n\n\n\n\n                                                     10\n\x0cSupplier Risk Mitigation in the Supplies Portfolio                           CA-AR-10-003\n\n\n\n\n    \xef\x82\xb7   Develop a business continuity plan that included the sourcing of goods from\n        alternative suppliers.\n\nWe provided the full contractor report to Supply Management for consideration as they\nlook to further improve and strengthen their supply chain risk mitigation strategies.\n\n\n\n\n                                                     11\n\x0cSupplier Risk Mitigation in the Supplies Portfolio           CA-AR-10-003\n\n\n\n                         APPENDIX C: MANAGEMENT\xe2\x80\x99S COMMENTS\n\n\n\n\n                                                     12\n\x0cSupplier Risk Mitigation in the Supplies Portfolio        CA-AR-10-003\n\n\n\n\n                                                     13\n\x0c'